A few weeks ago on -devel I made a proposal for a FAQ change. So far
I've received feedback from three people, all of it fairly positive, all
suggesting mild changes. The following represents a final draft, which
I'm now presenting on -users to get the most visibility/feedback. If
the community approves, I'll be submitting this to Werner for inclusion
into the FAQ.
=====
Q: Why does GnuPG default to 2048-bit RSA?
A: At the time the decision was made, 2048-bit RSA was thought to
provide reasonable security for the next decade or more while still
being compatible with the overwhelming majority of the OpenPGP
ecosystem.
Q: Is that still the case?
A: Largely, yes. According to NIST Special Publication 800-57,
published in July 2012, 2048-bit RSA is believed safe until 2030.
At present, no reputable cryptographer or research group has cast
doubt on the safety of RSA-2048. That said, many are suggesting
shifting to larger keys, and GnuPG will be making such a shift in
the near future.
Q: What do other groups have to say about 2048-bit RSA?
A: In 2014, the German Bundesnetzagentur fuer Elektrizitaet, Gas,
Telekommunikation, Post und Eisenbahnen recommended using RSA-2048
for long-term security in electronic signatures.
In 2012, ECRYPT-II published their "Yearly Report on Algorithms
and Keysizes" wherein they expressed their belief RSA-1776 will
suffice until at least 2020, and RSA-2432 until 2030.
In 2010, France's Agence Nationale de la Securite des Systems
d'Information stated they had confidence in RSA-2048 until at
least 2020.
Q: Is there a general recommendation that 3072-bit keys be used for
new applications?
A: No, although some respected people and groups within the
cryptographic community have made such recommendations. Some
even recommend 4096-bit keys.
Q: Will GnuPG ever support RSA-3072 or RSA-4096 by default?
A: Probably not. The future is elliptical-curve cryptography,
which will bring a level of safety comparable to RSA-16384.
Every minute we spend arguing about whether we should change
the defaults to RSA-3072 or more is one minute the shift to
ECC is delayed. Frankly, we think ECC is a really good idea
and we'd like to see it deployed as soon as humanly possible.
Q: I think I need larger key sizes.
A: By all means, feel free to generate certificates with larger keys.
GnuPG supports up to 4096-bit keys.